Exploit Database

145,211 exploits tracked across all sources.

Sort: Activity Stars
CVE-2023-37469 WRITEUP HIGH
CasaOS < 0.4.4 - Authenticated Remote Code Execution via SMB Connection
CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue.
CVSS 8.8
CVE-2023-37469 WRITEUP HIGH
CasaOS < 0.4.4 - Authenticated Remote Code Execution via SMB Connection
CasaOS is an open-source personal cloud system. Prior to version 0.4.4, if an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands. Version 0.4.4 contains a patch for the issue.
CVSS 8.8
CVE-2023-37266 WRITEUP CRITICAL
CasaOS < 0.4.4 - Unauthenticated Remote Code Execution via JWT Validation Bypass
CasaOS is an open-source Personal Cloud system. Unauthenticated attackers can craft arbitrary JWTs and access features that usually require authentication and execute arbitrary commands as `root` on CasaOS instances. This problem was addressed by improving the validation of JWTs in commit `705bf1f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
CVSS 9.8
CVE-2023-37265 WRITEUP CRITICAL
CasaOS < 0.4.4 - Unauthenticated Remote Code Execution via IP Address Verification Bypass
CasaOS is an open-source Personal Cloud system. Due to a lack of IP address verification an unauthenticated attackers can execute arbitrary commands as `root` on CasaOS instances. The problem was addressed by improving the detection of client IP addresses in `391dd7f`. This patch is part of CasaOS 0.4.4. Users should upgrade to CasaOS 0.4.4. If they can't, they should temporarily restrict access to CasaOS to untrusted users, for instance by not exposing it publicly.
CVSS 9.8
CVE-2022-24193 WRITEUP CRITICAL
CasaOS < 0.2.7 - OS Command Injection
CasaOS before v0.2.7 was discovered to contain a command injection vulnerability.
CVSS 9.8
CVE-2025-34292 WRITEUP CRITICAL
BeWelcome Rox < c60bf04 - Remote Code Execution via PHP Object Injection
Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).
CVE-2025-34292 WRITEUP CRITICAL
BeWelcome Rox < c60bf04 - Remote Code Execution via PHP Object Injection
Rox, the software running BeWelcome, contains a PHP object injection vulnerability resulting from deserialization of untrusted data. User-controlled input is passed to PHP's unserialize(): the POST parameter `formkit_memory_recovery` in \\RoxPostHandler::getCallbackAction and the 'memory cookie' read by \\RoxModelBase::getMemoryCookie (bwRemember). (1) If present, `formkit_memory_recovery` is processed and passed to unserialize(), and (2) restore-from-memory functionality calls unserialize() on the bwRemember cookie value. Gadget chains present in Rox and bundled libraries enable exploitation of object injection to write arbitrary files or achieve remote code execution. Successful exploitation can lead to full site compromise. This vulnerability was remediated with commit c60bf04 (2025-06-16).
CVE-2025-34433 WRITEUP CRITICAL
AVideo 14.3.1-20.1 - Unauthenticated Remote Code Execution via Predictable Installation Salt
AVideo versions 14.3.1 prior to 20.1 contain an unauthenticated remote code execution vulnerability caused by predictable generation of an installation salt using PHP uniqid(). The installation timestamp is exposed via a public endpoint, and a derived hash identifier is accessible through unauthenticated API responses, allowing attackers to brute-force the remaining entropy. The recovered salt can then be used to encrypt a malicious payload supplied to a notification API endpoint that evaluates attacker-controlled input, resulting in arbitrary code execution as the web server user.
CVE-2025-34434 WRITEUP CRITICAL
AVideo < 20.1 - Unauthenticated Arbitrary File Upload and Deletion via ImageGallery Plugin
AVideo versions prior to 20.1 with the ImageGallery plugin enabled is vulnerable to unauthenticated file upload and deletion. Plugin endpoints responsible for managing gallery images fail to enforce authentication checks and do not validate ownership, allowing unauthenticated attackers to upload or delete images associated with any image-based video.
CVSS 9.1
CVE-2025-34435 WRITEUP MEDIUM
AVideo < 20.1 - Authenticated Arbitrary File Deletion via IDOR
AVideo versions prior to 20.1 are vulnerable to an insecure direct object reference (IDOR) that allows any authenticated user to delete media files belonging to other users. The affected endpoint validates authentication but fails to verify ownership or edit permissions for the targeted video.
CVSS 6.5
CVE-2025-34436 WRITEUP HIGH
AVideo < 20.1 - Authenticated Arbitrary File Upload via Insecure Direct Object Reference
AVideo versions prior to 20.1 allow any authenticated user to upload files into directories belonging to other users due to an insecure direct object reference. The upload functionality verifies authentication but does not enforce ownership checks.
CVSS 8.8
CVE-2025-34437 WRITEUP HIGH
AVideo < 20.1 - Authenticated Arbitrary Comment Image Upload via Missing Ownership Check
AVideo versions prior to 20.1 permit any authenticated user to upload comment images to videos owned by other users. The endpoint validates authentication but omits ownership checks, allowing attackers to perform unauthorized uploads to arbitrary video objects.
CVSS 8.8
CVE-2025-34438 WRITEUP HIGH
AVideo < 20.1 - Insecure Direct Object Reference in Video Rotation Metadata
AVideo versions prior to 20.1 contain an insecure direct object reference vulnerability allowing users with upload permissions to modify the rotation metadata of any video. The endpoint verifies upload capability but fails to enforce ownership or management rights for the targeted video.
CVSS 8.1
CVE-2025-34439 WRITEUP MEDIUM
AVideo < 20.1 - Open Redirect via cancelUri Parameter
AVideo versions prior to 20.1 are vulnerable to an open redirect flaw due to missing validation of the cancelUri parameter during user login. An attacker can craft a link to redirect users to arbitrary external sites, enabling phishing attacks.
CVSS 6.1
CVE-2025-34440 WRITEUP MEDIUM
AVideo < 20.1 - Open Redirect via siteRedirectUri Parameter
AVideo versions prior to 20.1 contain an open redirect vulnerability caused by insufficient validation of the siteRedirectUri parameter during user registration. Attackers can redirect users to external sites, facilitating phishing attacks.
CVSS 6.1
CVE-2025-34441 WRITEUP HIGH
AVideo < 20.1 - Unauthenticated Exposure of Sensitive User Information via Public API
AVideo versions prior to 20.1 expose sensitive user information through an unauthenticated public API endpoint. Responses include emails, usernames, administrative status, and last login times, enabling user enumeration and privacy violations.
CVSS 7.5
CVE-2025-34442 WRITEUP HIGH
AVideo < 20.1 - Sensitive System Information Exposure via Public API Endpoints
AVideo versions prior to 20.1 disclose absolute filesystem paths via multiple public API endpoints. Returned metadata includes full server paths to media files, revealing underlying filesystem structure and facilitating more effective attack chains.
CVSS 7.5
CVE-2025-34506 WRITEUP HIGH
WBCE CMS < 1.6.3 - Authenticated Remote Code Execution via Malicious Module Upload
WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed.
CVSS 8.8
CVE-2025-3416 WRITEUP LOW
Red Hat Directory Server 11 - Use-After-Free in OpenSSL Properties Handling
A flaw was found in OpenSSL's handling of the properties argument in certain functions. This vulnerability can allow use-after-free exploitation, which may result in undefined behavior or incorrect property parsing, leading to OpenSSL treating the input as an empty string.
CVSS 3.7
CVE-2025-35036 WRITEUP HIGH
Hibernate Validator < 6.2.0 - Code Injection via Expression Language Interpolation
Hibernate Validator before 6.2.0 and 7.0.0, by default and depending how it is used, may interpolate user-supplied input in a constraint violation message with Expression Language. This could allow an attacker to access sensitive information or execute arbitrary Java code. Hibernate Validator as of 6.2.0 and 7.0.0 no longer interpolates custom constraint violation messages with Expression Language and strongly recommends not allowing user-supplied input in constraint violation messages. CVE-2020-5245 and CVE-2025-4428 are examples of related, downstream vulnerabilities involving Expression Language intepolation of user-supplied data.
CVSS 7.3
CVE-2025-3568 WRITEUP LOW
Webkul Krayin CRM <= 2.1.0 - Cross-Site Scripting in SVG File Handler
A vulnerability has been found in Webkul Krayin CRM up to 2.1.0 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /admin/settings/users/edit/ of the component SVG File Handler. The manipulation leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor prepares a fix for the next major release and explains that he does not think therefore that this should qualify for a CVE.
CVSS 3.5
CVE-2025-3815 WRITEUP MEDIUM
SurveyJS plugin - WordPress <1.12.32 - XSS
The SurveyJS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ parameter in all versions up to, and including, 1.12.32 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS 6.4
CVE-2025-3965 WRITEUP LOW
itwanger paicoding 1.0.3 - Stored Cross-Site Scripting via /article/app/post Content Argument
A vulnerability has been found in itwanger paicoding 1.0.3 and classified as problematic. Affected by this vulnerability is an unknown functionality of the file /article/app/post. The manipulation of the argument content leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS 3.5
CVE-2025-3966 WRITEUP MEDIUM
itwanger paicoding 1.0.3 - Info Disclosure
A vulnerability was found in itwanger paicoding 1.0.3 and classified as problematic. Affected by this issue is some unknown functionality of the file /user/home?userId=1&homeSelectType=read of the component Browsing History Handler. The manipulation leads to information disclosure. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
CVSS 4.3
CVE-2025-3967 WRITEUP MEDIUM
itwanger paicoding 1.0.3 - Auth Bypass
A vulnerability was found in itwanger paicoding 1.0.3. It has been classified as critical. This affects an unknown part of the file /article/api/post of the component Article Handler. The manipulation of the argument articleId leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
CVSS 5.4